port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

Gerben Wierda gerben.wierda at rna.nl
Sun Nov 14 10:52:20 UTC 2021

I contacted NLNet Labs, they updated their certs which made NSD fetch on Mojave work again for me.

Somewhere during my tests accidentally OpenSSL was activated on my machine (a destroot on nsd 4.3.8 maybe?), which killed all the installed ports that were dependent on an opensll 1.1.1 dylib (which had been made inaccessible), so suddenly a lot of programs couldn’t start anymore (Abort 6) because the dylib wasn’t there. That kind of forced me to do a quick update of everything.

So I updated NSD to 4.3.8 and created a pull request for it (as the existing MacPorts version 4.1.2 would not compile with OpenSSL3 which is now standard and I am an NSD maintainer)

That change has now been merged with MacPorts master (yes! yes! I did it correctly! I’m getting the hang of it!)

Everything NSD is back as it should be.

Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A Enterprise Architecture <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>

> On 8 Nov 2021, at 03:54, Dave Horsfall <dave at horsfall.org> wrote:
> On Sun, 7 Nov 2021, Bill Cole wrote:
>>> So I wonder how widespread this problem is?
>> The problem in this case is not the existence of the cert in the CA bundle, but the fact that this particular expired cert was used in an alternative validation path and the logic of verification for multi-path certs isn't correct. Normally, expired root CAs should stay in there because that allows positive non-verification of certs supposedly issued by an expired (and maybe compromised) root CA.
> Gotcha; thanks.
>>> And I'm not happy with those that are set way in the future; I heard somewhere that 5 years is the recommended max.
>> CAs are special. The current limit on server certs is 397 days. I don't think there's a consensus on CA lifetimes because of the conflicting risks of too-short and too-long lives.
> One day past a leap year :-)  I don't remember where I saw the 5-year recommendation, unfortunately.
> -- Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211114/414e4900/attachment.htm>

More information about the macports-users mailing list